ProMedica is citing nonsensical privacy policies in an attempt to conceal security deficiencies. The health system would do better to come clean about the latest blunder, which compromised the personal data of nearly 600 patients.
ProMedica says an employee at Bay Park Hospital gained access to 594 patient records between April 1, 2013, and April 1, 2014. But officials refuse to say why the employee violated patients’ privacy by looking at the personal records.
ProMedica officials did not contact law enforcement officials about the security breach — a significant mistake. Oregon Police Chief Mike Navarre says his office will conduct a criminal investigation. That prudent move is in stark contrast to ProMedica’s stonewalling.
The hospital discovered the security breach on April 2 but did not notify the public until last week. ProMedica spokesman Serena Smith told The Blade’s editorial page that the company reported the breach to the U.S. Department of Health and Human Services. But she said the health system is “obligated to protect the privacy of our patients and also the confidentiality of our employees.”
In fact, the company appears to have failed to protect patients’ privacy from an evidently snooping employee. The company could provide a motive for the individual wrongdoing without identifying any patient.
That would go a long way to ease the minds of those who were affected. Withholding that crucial information seems to have less to do with privacy than a desire to conceal misconduct.
Last month, ProMedica Flower Hospital in Sylvania was in danger of losing its rights to federal Medicare and Medicaid reimbursement because of a rape in the facility’s psychiatric unit. Similarly, hospital officials initially refused to disclose what happened, citing patients’ privacy rights. The assault became public only after the suspect was indicted by a Lucas County grand jury and charged with first-degree felony rape.
Health providers around the country have been using privacy laws such as the federal Health Insurance Portability and Accountability Act as an all-purpose justification for refusing to release any information they don’t want people to know. That has to stop.
These providers and institutions are responsible for guarding patients’ privacy — but not at the expense of public safety or of other patients who may make decisions about their health care based on important and relevant information.